Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
boneyard
Valued Contributor

FG-IR-19-144 more information available?

https://fortiguard.com/psirt/FG-IR-19-144

https://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&docType=kc&externalId=FD45293

 

How are people acting on this? Are you upgrading / have already upgraded? How have you upgraded?

 

The advisory is quite vague in explanation of the issue and quite strong in the advise to upgrade NOW in my opinion. If it just involves a failure to properly check revoked certificates then that would mainly affect client cert authentication (yes it affects server certificates but exploits there would involve some man in the middle magic). Which you can easily check if you use it and then don't choose to upgrade. but if it would be just that i can't imagine a advisory of this level.

 

Next to that the interesting line on the manual upgrade. Mentioning TFTP and USB, but not mentioning HTTPS (regular file upload), so is that OK or not. Why would you omit the most common way (next to download from FortiGuard) if it is allowed.

 

PS: I have a ticket with support open, but looking for community input.

4 REPLIES 4
gurumul
New Contributor

Pretty bad description indeed. Could be OCSP, CRL request ... or updates to FortiGuard Servers ... or ...

 

How can an administrator decide to upgrade or not based on the provided information?

 

Thanks for providing us your ticket output.

FortiOSman
New Contributor III

Bump

FortiOSman

It looks like one of their workarounds is the IPS signature, and looking into that sig, they specify revoked Fortinet certificates.  So I would assume as long as you arent using Fortinet certs for anything you should be fine. 

 

I wont be rushing to upgrade for this. 

 

https://fortiguard.com/encyclopedia/ips/48207

boneyard
Valued Contributor

the whole situation feels kinda weird. critical bulletin, but medium IPS signature.

 

support did say it only involves Fortinet certificates indeed. they also indicated it mainly revolving about authentication with certificates.

 

still if that is it, why the critical bulletin, don't get it.

Labels
Top Kudoed Authors